Did you know that they can spam VOIP just like they spam e-mails? Whoever “they” may be, the threat may very well be quite real and has actually been given a name. “Spit” stands for spam attacks against internet telephony connections. Alright, I do not know who coined this term and whether I think it is clever or just plain silly. Still, that is beside the point – it might exist and might pose a problem in the future.

According to the Heise Online News, the Internet Engineering Task Force is going to be working on this issue over the next 6 to 12 months. Yet is there really a threat? According to Jon Petersen, “there was no evidence at the present time that a “spit” problem existed. In his opinion it was still, at best, theoretical. A representative of the NEC Lab in Heidelberg, on the other hand, said that work on possible solutions to “spit” had already been going on there for three years. At present, he said, the “spit” figures were still small, but “spit” was expected to become a serious problem as internet telephony became more widespread.”

However, if spit does become a serious threat, some people are concerned about the consequences:

“The costs incurred if we do nothing are very high,” warns SIP developer Henning Schulzrinne of Columbia University . It had taken a long time before anyone reacted to the now-familiar email spam, he pointed out, and now the implementation of countermeasures was struggling along behind the problem. Schulzrinne is one of the authors of an internet draft that contains preliminary recommendations. “Do we really want to wait until we have a VoIP botnet problem?”, Schulzrinne asked.
As with email spam, the developers who are already working on possible defences have no magic recipe against “Spit”. Among the possible options mooted are solutions involving the identification and authentication of callers, statistical solutions - meaning the blocking of mass calls emanating from one account - or defence through the cost of making a contact (something that was considered for email, but was swiftly rejected).

I tend to lean towards the side of caution here. I would rather have people working on this as early as now and ready to face the threat when it does arise. How about you? What do you think about all this ruckus?

Don't miss a post! Subscribe to the RSS feed or by email today!